BleepingComputer reports that the Anubis ransomware-as-a-service operation has intensified its extortion model with the integration of a new wiper module to its file-encrypting malware that enables permanent file erasure and hinders data recovery even after ransom payment.
Anubis has leveraged phishing emails with nefarious links or attachments to facilitate the deployment of its malware containing the '/WIPEMODE' command-line parameter, which when enabled, deletes all file contents while maintaining their filenames and structure, according to an analysis from Trend Micro. While important system and program directories are not impacted, Anubis' payload discards Volume Shadow Copies and ends processes that could impact its Elliptic Curve Integrated Encryption Scheme-based encryption process. "This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack," said Trend Micro. Such findings come months after Anubis was reported to have opened an affiliate program, which KELA researchers noted to have provided 50%, 60%, and 80% of the proceeds to initial access brokers, data extortion affiliates, and ransomware affiliates, respectively.
Anubis has leveraged phishing emails with nefarious links or attachments to facilitate the deployment of its malware containing the '/WIPEMODE' command-line parameter, which when enabled, deletes all file contents while maintaining their filenames and structure, according to an analysis from Trend Micro. While important system and program directories are not impacted, Anubis' payload discards Volume Shadow Copies and ends processes that could impact its Elliptic Curve Integrated Encryption Scheme-based encryption process. "This destructive tendency adds pressure on victims and raises the stakes of an already damaging attack," said Trend Micro. Such findings come months after Anubis was reported to have opened an affiliate program, which KELA researchers noted to have provided 50%, 60%, and 80% of the proceeds to initial access brokers, data extortion affiliates, and ransomware affiliates, respectively.
